This Policy covers the entirety of our Company and is applied for all personal data processing activities for which our Company is the data controller.

DEFINITIONS

The terms used in the implementation of this Policy have the following meanings:

Data Controller

In terms of personal data processing activities covered by this Policy, the data controller is the legal entity of our Company.

Inventory and Record Keeping

A personal data processing inventory is kept by our company in order to monitor and manage personal data processing activities and to comply with our legal obligations. Within the scope of this inventory, information such as personal data categories and processing purposes, recipient groups to which they are transferred, storage periods are listed by associating them with our Company's business processes. Inventory summary can be followed publicly by declaring it to the VERBIS platform.

Education and Awareness

It ensures that the employees who take part in the personal data processing activities of our Company and/or have access to personal data receive the necessary legislative and information security trainings, thus maintaining the general awareness of our Company on the protection of personal data and ensuring that the new employees who join our Company are at this level of awareness. Necessary legislation and information security trainings for our company's employees are carried out periodically.

PROTECTION OF PERSONAL DATA

Personal data processing activities are carried out in accordance with the personal data protection legislation and especially the KVK Law, and all the conditions explained in this section are fulfilled to the extent that they comply with the characteristics of the situation.

General Principles

In all personal data processing activities carried out by our company, the following principles are always followed.

Compliance with Law and Integrity

In the processing of personal data, not only the KVK Law, but also all other laws and regulations should be acted upon, and the interests and reasonable expectations of the personal data owners should be taken into account.

Being Accurate and Up-to-Date When Necessary

In order to keep personal data accurate and up-to-date, personal data must be collected in a manner consistent with reality at the stage of obtaining, and the information must be accurate. In addition, opportunities should be created to enable personal data owners to submit their requests that may arise from the fact that the data is not accurate or up-to-date, and these requests should be handled carefully.

If a processing activity is of a nature to have consequences for the personal data owner, it should be checked whether the personal data is up-to-date and, if necessary, the personal data owner should be contacted so that the data can be updated.

Processing for Specific, Explicit and Legitimate Purposes

The purpose of processing personal data must be determined clearly and precisely before the personal data is obtained, and this purpose must be legitimate, that is, in accordance with the law. In this context, personal data should not be collected without specifying a purpose or for a very general purpose. A new processing basis (such as obtaining consent) should be determined before a personal data obtained is used for purposes other than the purpose for which it was collected, and if this is not possible, the purpose of collection should not be exceeded. In addition, transparency steps should be taken to make the purpose of processing known to the personal data owner.

Our company determines the processing purposes within the scope of the personal data processing inventory in terms of the processing activities it carries out and controls their legitimacy. In addition, within the scope of the disclosure obligation, the said purposes are notified to the personal data owners.

Being Relevant, Limited, and Measured to Purpose

According to this principle, which is also expressed as the minimum processing principle, personal data should be suitable for the realization of the determined purposes, and the processing of personal data that is not related to the realization of the purpose or that is not needed for this purpose should be avoided. For example, personal data should not be collected in order to meet the needs that may arise later.

Conservation As Necessary

Personal data should be kept for this period, if there is a period foreseen in the relevant legal legislation, or for this period if the period required for the purpose for which they are processed is longer. If there is no valid reason for keeping a personal data, that personal data should be destroyed, that is, it should be deleted, destroyed or anonymized. Accordingly, our company preserves personal data as long as necessary.

Legal Compliance

Machining Fundamentals

In order for any personal data to be processed in accordance with the law, the processing activity must be based on at least one of the processing fundamentals listed in the KVK Law. The express consent of the personal data owner is only one of the basis for this processing, and it is also possible to process personal data without obtaining the explicit consent of the personal data owner.

If the personal data processing activity is based on one of the processing bases other than express consent, then there will be no need for express consent from the personal data owner. Because while it is possible to carry out the processing on a basis other than express consent, relying on explicit consent may be deceptive. In this context, it should be evaluated whether the personal data processing activity is primarily based on one of the processing grounds other than express consent, and if at least one of the grounds other than express consent is not applicable, then the explicit consent of the personal data owner should be obtained in order to carry out the processing activity.

The processing of personal data carried out by our company is based on the legal processing principles specified in Articles 5 and 6 of the KVK Law. However, the transfer of data belonging to real persons outside the company in the e-mail system is considered as data transfer abroad in accordance with the decision of the institution. Since one of the ways of compliance with the law for data transfer abroad requires the express consent of the person concerned, express consent is requested for this processing activity in accordance with Article 5 (1) of the law.

Processing of Private Personal Data

Our company attaches utmost importance to the protection of sensitive personal data and implements the necessary administrative and technical measures in this direction.

Transparency

Disclosure of Personal Data Owners

It is essential for our company that personal data processing activities take place within the knowledge of the personal data owner. In this context, to the personal data owner by the responsible managers; It is ensured that the identity of the data controller and its representative, if any, for what purposes the personal data will be processed, to whom and for what purposes it can be transferred to third parties, the method of collecting personal data and the legal reason, and the rights of the personal data owner listed in the KVK Law.

On the other hand, in the cases listed in Article 28 of the KVK Law, including the processing of personal data made public by the person concerned, provided that it is in accordance with the purpose and basic principles of the KVK Law and proportionally, it will not be necessary to inform the personal data owners within the scope of this article.

Meeting the Requests of Personal Data Owners

Rights of Personal Data Owners

Personal data owners have the following rights in accordance with the KVK Law:

• Learning whether personal data is processed or not,
• If personal data has been processed, requesting information about it,
• Learning the purpose of processing personal data and whether they are used in accordance with their purpose,
• Knowing the third parties to whom personal data is transferred in the country or abroad,
• Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transactions made within this scope to the third parties to whom the personal data has been transferred,
• Requesting the deletion or destruction of personal data for which the reasons requiring processing have disappeared and requesting notification of the transactions made within this scope to third parties to whom the personal data has been transferred,
• Objecting to the emergence of a result against him by analyzing the processed data exclusively through automated systems,
• To request the compensation of the damage in case of loss due to unlawful processing of personal data.

Provided that they are in accordance with the purpose and basic principles of the KVK Law and proportionally, personal data owners cannot claim their other rights, except for the right to demand the compensation of the damage, in the cases listed below:

• Personal data processing is necessary for the prevention of crime or for criminal investigation,
• Processing of personal data made public by the person concerned,
• Personal data processing is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions, based on the authority given by the law,
• The processing of personal data is necessary for the protection of the economic and financial interests of the state with regard to budgetary, tax and financial matters.

Exercise of Personal Data Owner's Rights

Personal data owners; In writing, they can claim their rights by using their registered e-mail (KEP) address, secure electronic signature, mobile signature or e-mail addresses previously notified to our Company and registered in our system. Applications made by personal data owners are answered as soon as possible and within 30 days at the latest.

Cost of Application

No fee is charged for up to ten pages of the response provided by our company, but a processing fee of 1 Turkish Lira may be charged for each page above ten pages. If the response to the application is given in a recording medium such as CD, portable memory, the cost of the relevant recording medium is requested from the personal data owner. If the application is caused by an error of our Company, all fees and expenses are returned to the personal data owner.

Data Transfers and Third Party Compliance

Legal Compliance

When personal data can be transferred to third parties, it is checked whether the basis of processing is applicable in a transfer-specific manner and the situation is fulfilled. For example, the legal obligation must be for the transfer of personal data or the express consent must have been obtained for the transfer of personal data.

When it comes to the transfer of sensitive personal data, all necessary measures are applied.

Administrative and Technical Measures

Before transferring personal data to a third party or granting access to our Company's storage areas to a third party, it is ensured that the other party will show sufficient care and care in the processing of personal data and ensure the appropriate level of security.

Transfer of Personal Data in Physical Environment

Personal data in physical environment includes all personal data except electronic media where personal data can be read.

This section of this Personal Data Transfer Policy includes the requirements for the physical transfer of personal data. Unless stated otherwise, company employees must abide by this Policy if they are transferring personal data in a physical environment. In cases where the employee makes a transfer or witnesses the transfer, he is obliged to notify the KVKK Working Group. 

The employee or department that transfers data in the physical environment must be able to prove that the person's explicit consent was obtained when obtaining the personal data to be transferred. For personal data transferred without express consent, responsibility cannot be counted solely on the person who obtained the data. The transferring person or department has a degree of responsibility that cannot be separated from the data processor over the personal data they transfer. 

The transfer of data without express consent is only valid in cases where the exceptions specified in the Law (second paragraph of 8th article) are provided. In all cases other than these exceptions, personal data cannot be transferred without the explicit consent of the person concerned. If the person cannot be sure of the validity of the exception, he should make a transfer in consultation with the KVKK Working Group. 

Physical documents containing Personal Data must not be processed while being transferred. During the transfer, the personal data on the document should not be seen even by the person transferring it. For this reason, depending on the physical size of the transfer files, if the personal data has been processed before reaching the person to be transferred, the transfer must be carried out in a traceable manner during the transfer. This follow-up will be carried out by sealing the sealed envelope, parcel, box. In cases where sealing is not possible, the transfer can only be made with the knowledge and approval of the KVKK Working Group. 

The sending party is obliged to confirm that the personal data has been received by communicating with the receiving party at the end of the expected transfer period. The receiving party, on the other hand, informs the sender that the personal data is not processed (protects its seal) during the transfer and, in cases where it thinks otherwise, transfers the situation to the sending party and the relevant person in the KVKK Working Group.

Electronic Transfer of Personal Data

Personal data in electronic media includes all personal data in which personal data is made readable using an electronic device.

This section of this Personal Data Transfer Policy describes the requirements for electronic transfer of personal data. Unless stated otherwise, company employees must abide by this Policy if they are transferring personal data electronically. In cases where the employee makes a transfer or witnesses the transfer, he is obliged to notify the KVKK Working Group. 

The employee or department that transfers data electronically should be able to prove that the person's explicit consent was obtained when obtaining the personal data to be transferred. For personal data transferred without express consent, responsibility cannot be counted solely on the person who obtained the data. The transferring person or department has a degree of responsibility that cannot be separated from the data processor over the personal data they transfer. The transfer of data without express consent is only valid in cases where the exceptions specified in the law (second paragraph of 8th article) are provided. In all cases other than these exceptions, personal data cannot be transferred without the explicit consent of the person concerned. If the person is not sure of the validity of the exception, he should make a transfer in consultation with the KVKK Working Group. 

Before personal data is transferred electronically, it must be ensured that the recipient is authorized to process the data. 

Electronic transfer of personal data can be done with the following methods and only if the specified conditions are met, in case these methods are insufficient, the KVKK Working Group should be informed.

1. Electronic mail

The transfer process can be carried out if the department manager who makes the transfer is among the e-mail recipients. Even with the knowledge of the Department Manager, in cases where the e-mail is not the recipient, the employee will be deemed to have acted against the policy. 

In the e-mail text, information should be given that the content and/or attachments of the e-mail contain personal data, and the processing of personal data should be prevented by encrypting it. The password must be shared with the recipient via another e-mail or contact method. In the event that the encryption process will not be performed, the relevant employee should inform the unit manager and the unit manager should inform the KVKK Working Group and obtain approval. 

2. Portable Media

portable media; hard disks, CDs, DVDs, tapes, USB sticks, USB hard disks, memory cards and all electronic platforms where electronic media can be physically moved. 

While transferring personal data with portable media, portable media can be encrypted. Personal data of special nature cannot be transferred to portable media without password. The password is transmitted by the sender to the receiver using a different communication channel. 

The employee who transfers the data is also responsible for the destruction of the data in the removable media. The media cannot be used for any other process without destroying the personal data in the portable media. 

The physical transfer of portable media must be made directly from the sender to the receiver. In cases where this transfer cannot be made directly, the transfer should be made using the minimum intermediary. During the transfer, the courier service contracted by the company is used, cargo service cannot be used in the transfer. 

3. Cloud Sharing (Cloud)

Cloud sharing includes all the shares where the personal data is uploaded to an online storage area by the sender and the recipient obtains the data from there. 

The employee, who transfers personal data via cloud sharing, shares information with the Company's Information Technologies Department about the most secure method, together with the department manager, who owns personal data, before each transfer. In all cases where personal data will be shared via cloud sharing, it is obligatory to inform the Information Technologies Department of the Company.

Data shared with the cloud sharing method is encrypted. The password is transmitted by the sender to the receiver using another communication channel. Cloud sharing can only be done using company hardware and network, the employee is not allowed to do cloud sharing without using company hardware and network.

4. Network Sharing

Personal data can be shared within and/or between departments using the company's common areas. In sharing over the network, personal data can only be transferred in encrypted form and cryptographic protocols are applied during the transfer. The password is transmitted from the sender to the receiver using a different communication channel. If the employee considers that the transfer of personal data is not suitable for encryption or the application of cryptographic protocols, the KVKK Working Group is informed within the knowledge of the relevant unit manager and the transfer is carried out only in cases where the Group approves.

When sharing on the network, only the receiving department and/or employee must have access to the area used, and this control is the responsibility of the sender. Upon completion of the sharing, the receiver must inform the sender by destroying the personal data over the network. Receiving the information, the sender must check and make sure that personal data no longer exists in the common area on the network.

Transfer of Personal Data Abroad

In order for personal data to be transferred abroad, it is checked that the processing bases specified under the title of "Compliance with the Law" of this Policy are applicable in a way specific to the transfer abroad and the situation is done accordingly. If the basis for processing is not express consent, then, in addition to the basis for processing, further:

1. It is ensured that there is sufficient protection in the foreign country to which the personal data will be transferred, or
2. In case of lack of adequate protection, the establishment of a contractual relationship with the receiving party abroad and the "Minimum Elements to be Included in the Commitment to be Prepared by Data Controllers in Data Transfer Abroad" published by the KVK Institution are included.
3. Since one of the ways of compliance with the law for data transfer abroad requires the express consent of the person concerned, express consent is requested for this processing activity in accordance with Article 5 (1) of the law.

In addition to meeting the necessary conditions, the domestic transfer of personal data in the physical environment is carried out directly from the sender to the recipient when possible. Indirect or hand-to-hand transfer is preferred only when necessary.

The transfer of personal data in physical environment abroad can only be made to countries where there is sufficient protection to be announced by the Board. If the country to be transferred is not determined as the country with sufficient protection, the information of the KVKK Working Group will be consulted before the transfer.

Data security

Administrative and Technical Measures

In all activities carried out by our company, all necessary technical and administrative measures are taken to ensure the appropriate level of security in order to prevent the unlawful processing of personal data, to prevent illegal access to personal data and to ensure the protection of personal data. Our administrative and technical measures have been publicly declared on the VERBIS platform.

Data Security Breach

In the event that the personal data processed by our company is obtained by third parties illegally, this situation must be reported to the relevant personal data owners and the KVK Board as soon as possible. In order to ensure compliance with this obligation, significant events in terms of personal data security are monitored throughout our Company and necessary actions are taken by evaluating whether they constitute a data security breach. If there is a data security breach, the KVK Board is notified within 72 hours at the latest from the moment the breach is learned.

Destruction of Personal Data

Deletion of personal data is the process of making personal data inaccessible to the relevant users in any way.

Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.

Anonymization of personal data is the removal or change of all direct and/or indirect identifiers in a data set, preventing the identification of the data subject from being identified, or losing its distinctiveness in a group/crowd so that it cannot be associated with a natural person. 

As the data controller, we are obliged to take all kinds of technical and administrative measures necessary for the deletion, destruction or anonymization of personal data. Physical or electronic personal data whose storage periods are completed twice a year are detected and destroyed.